Jason Barnabe

icon indicating an email [email protected]

icon location Grande Pointe, MB

Results 99 comments of Jason Barnabe

False positive - SQL injection when using IDs in second query

To walk this back one step... This should not be a fail. ```ruby User.connection.execute("DELETE FROM users WHERE id IN (#{[1,2,3].join(',')})") ``` (Of course in this case I can do it...

False positive - SQL injection when using IDs in second query

Using the protected `sanitize_sql_array` seems to satisfy brakeman. No warnings on these: ```ruby User.connection.execute("DELETE FROM users WHERE #{ActiveRecord::Base.send(:sanitize_sql_array, ['id IN (?)', [1,2,3]])}") User.connection.execute(ActiveRecord::Base.send(:sanitize_sql_array, ['DELETE FROM users WHERE id IN (?)',...

False positive - SQL injection when using IDs in second query

I agree, no one would use that with `[1,2,3]`. But a much more common scenario would be something like this: ```ruby user_ids = User.where(active: true).map(&:id) User.connection.execute("DELETE FROM users WHERE id...

JSONP and reflected flash file (new flaw to possibly check for)

`render :json => resource, :callback => params[:callback]` is the built-in way for JSON responses. https://github.com/rails/rails/pull/16109 is supposed to fix this, but I don't see the comment when using the above...

JSONP and reflected flash file (new flaw to possibly check for)

https://github.com/rails/rails/pull/16109 looks like it's going out in [4.0.10](https://github.com/rails/rails/blob/v4.0.10.rc2/actionpack/CHANGELOG.md) and [4.1.6](https://github.com/rails/rails/blob/v4.1.6.rc2/actionpack/CHANGELOG.md).

Detect open linking - url_for(params) without only_path or host

I lied in the above comment, I'm actually making a ``, which is why I mentionned `url_for` rather than `link_to`. This seems like it would be a good idea for...

Maintained?

Looks like this has been forked into https://github.com/caxlsx/

No filterableAttributes set even though it's in config

Even simpler case, with: ```ruby meilisearch do filterable_attributes [:account_id] end ``` I get the same behaviour: ```ruby Customer.index.delete customer = Customer.find(...) customer.ms_index! Customer.index.get_settings => {"displayedAttributes"=>["*"], "searchableAttributes"=>["*"], "filterableAttributes"=>[], "sortableAttributes"=>[], "rankingRules"=>["words", "typo",...

No filterableAttributes set even though it's in config

It's possible that I'm missing some step when reconfiguring the index, but there's no answer in #161 yet so I'd prefer to leave this open in case it's a separate...

No filterableAttributes set even though it's in config

Yes, if I change `index_uid` and call `customer.ms_index!`, then I see the proper settings when calling `Customer.index.get_settings` and the search works. Playing with it a bit more, I find that...